[messaging] Recognizing senders of metadata-hidden messages

[Jeff Burdges]

On Thu, 2015-07-30 at 06:33 +0800, Ben Harris wrote:
> If you aren't having single use mailbox addresses, then you HAVE to
> share the mailbox address between multiple senders (otherwise the
> server can identify senders breaking M0).
 
If you use a mailbox per sender and receiver pair then the mailbox
server has stronger attacks on the sender's identity, but this still
reduces to the ambient transport.  Vuvuzela analyzes exactly this case
for their mixnet and traffic scheme. 

I'd rephrase this as : If you use a unique mailbox per sender and
receiver pairs, then you must change that box occasionally to avoid
breaking both M0 and the recipient's anonymity.  In fact, you cannot
realistically keep all contacts in a "dialed" state anyways, way too
much traffic, so your dialing protocol might as well assign new boxes.

Conversely, if you have a unique mailbox per recipient, then senders
have only a small anonymity set beyond the ambient transport's
anonymity.  And the recipient has only pseudonymity after the ambient
transport's anonymity. 

We believe that small anonymity set suffices to prevent the mailbox
server from engaging in attacks like modeling a external social graph,
but actually proving that would requires considerations like traffic
profile, etc.  I'd love to see some an article doing this actually.

Jeff

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20150730/ca62b836/attachment.sig>